using wireshark with tomato

Discussion in 'Tomato Firmware' started by rs232, May 3, 2011.

  1. rs232

    rs232 Network Guru Member

    Attached Files:

    Last edited: Nov 26, 2014
  2. TT76

    TT76 Networkin' Nut Member

  3. Rakeesh

    Rakeesh Networkin' Nut Member

    Would you know it, that this thread comes up first when you google search this topic? Anyways, I happened across a precompiled binary of rpcapd which is also pre-configured to work with these routers (normally rpcapd isn't) and I thought I'd share where I found it, as most sites have a dead link:

    Also useful for this purpose is tcpdump:

    Now when I say this is pre-configured to work with these routers (these meaning pretty much all mipsr1/r2 routers, e.g. from wrt54g all the way to my netgear wnr3500l) it is setup to use the same login and password that you use to log in to the web gui. I use this particular one with tomato firmware, though it was originally meant for (I think) sveasoft. It will probably also work with dd-wrt, openwrt, hyperwrt, and others.

    All you really have to do is execute rpcapd from telnet and connect with wireshark using the right name/password, and that's it! You're capturing in real-time.
  4. rs232

    rs232 Network Guru Member

    Absolutly fantastic!

    Thank you sooo much. I run it from my cifs share and it works like a charm.

    rpcapd available here:


    I run the command:

    chmod 777 /cifs1/rpcapd
    /cifs1/rpcapd -b -p 12345 -d
    and on my wireshark client I've just specified:

    menu capture/options/remote:
    ip + port + tomato username + tomato password

    NOTE: this loads the list of tomato interfaces on the drop down menu on the right hand side. Just specify the physical/virtual interface you want to monitor and you're good to go.

    Brilliant, I think this topic deserve a sticky :biggrin:
    Many thanks again :wave:

    Last edited: Nov 26, 2014
  5. jyavenard

    jyavenard Network Guru Member

    Replying here to this old thread because it comes first doing a google search on tomato + wireshark.

    The option given above is using a very old version of tcpdump (circa 2004) which doesn't support IPv6 and many other stuff. I needed it so I added an option to automatically build tcpdump and have it in /usr/sbin.
    I spent a couple of hours trying to get rpcapd to build ... couldn't get tcpdump to work with its heavily modified (and old) version of libpcap.. So I gave up and tcpdump is all you need anyway
  6. matt01

    matt01 Serious Server Member

    I'm really sorry to dig this thread up, but I'd like to ask if someone who has the working rpcapd binary could send it to me, as the mirror specified here is dead and I was unable to find it anywhere else on the internet. I also tried to cross-compile it myself but gave up after a few hours... :(

    Thank you very much
  7. koitsu

    koitsu Network Guru Member

    While I think this is great (really I do!), can I ask why you couldn't just run tcpdump on the router itself, output the data to a file (i.e. tcpdump -i {interface} -p -s 0 -n -w /tmp/capture.pcap "expression"), then copy /tmp/capture.pcap off to a Windows/Mac and open it in Wireshark? This is the method I've used for years, and doesn't require me to go messing about with having to compile binaries and other whatnots.

    And if folks need a tcpdump binary, they can get one from Entware, or use rhester72's static binary here:
    Madumi and HitheLightz like this.
  8. matt01

    matt01 Serious Server Member

    Yea, I know I can do that but I'm trying to set up real-time capturing which is only possible with rpcapd.
  9. duprade

    duprade Serious Server Member

    I second that motion. I've gotten tcpdump to work ...but I haven't found an rpcapd that works.
  10. koitsu

    koitsu Network Guru Member

    tcpdump does real-time capturing -- the analysis is what's done post-capture. In Wireshark, nobody in their right mind captures packets and does packet analysis at the same time -- it just isn't plausible (I know of no one who can do forensics faster than packets can be sent/received).

    So I think what you meant to say was "I don't like having to do the tcpdump stuff, then copy a file somewhere, open that up in Wireshark, etc... it's easier for me/saves me time to capture over the network via Wireshark + rpcapd". If that's the case -- gotcha! :)
  11. Bird333

    Bird333 Network Guru Member

    Here it is. Of course unzip it. :)

    Attached Files:

  12. duprade

    duprade Serious Server Member


    Thank you sir!
  13. fvultee

    fvultee Reformed Router Member

    Hey, thanks for the great article. So I downloaded rpcapd from this site, put rpcapd in /cifs1, chmod 777, tried to exec it and always get the same return "/cifs1/rpcapd: line 1: syntax error: unexpected "(" "

    I'm guessing something is incompatible with this version and my Tomato 1.28 on my e2000, but have no idea what that would be. Any ideas? I'd love to get this working.
  14. darkknight93

    darkknight93 Networkin' Nut Member

    try to upload the binary via WinSCP . sometimes files get corrup if placed directly in the cifs-share. Happened to me with some .sh files.
  15. fvultee

    fvultee Reformed Router Member

    Thanks man, got it to work, I had downloaded a rpcapd from another site and it wasn't compiled for this one, my bad. Using the version in this thread works great on my Tomato firmware and Wireshark.
  16. Lothar

    Lothar Reformed Router Member

    I cant download the from this link?
    "You do not have permission to view this page or perform this action."

    Does anyone know what I could be doing wrong?

    Any chance of shibby and vic including rpcapd in their builds?
  17. Betomex

    Betomex Reformed Router Member

    I have the same problem, my account is new.
    darkknight93 likes this.
  18. yksu1

    yksu1 Reformed Router Member

    +1 same problem, with new account.

    Edit : I just succeed to download the file. Thanks !
  19. ritslinux_2013

    ritslinux_2013 Reformed Router Member

    Hi all, i am new to this forum and stumbled upon this because I want to use wireshark to monitor all trafic that goes through the router. I followed steps to download the rpcapd -file and used winscp to get it on the router.
    Problem is that I get the message "filesytem is read-only" when I try to copy the file to /cifs1 -directory

    Should I not use something like /usr/bin to put the file on the router ? I understand some basic linux.
    I also find it strange that I cannot edit anything on the router when I ssh to the router using putty or from a linux bash-prompt.

    Please help me to get rpcapd on the router and edit file-permissions
  20. lancethepants

    lancethepants Network Guru Member

    Tomato uses a squashfs file system, which means pretty much everything is read-only. Tomato runs some scripts at startup and uses nvram to store settings to setup the system as it boots.

    /etc is writable, as is /tmp, but these are stored in ram, and anything placed in there will not survive a reboot.

    You can setup cifs in the tomato gui to mount a remote network share, and that would work. /cifs by itself is nothing though, just a directory meant for mounting other network shares.

    The advisable thing is to store things on USB (if available), or in /jffs (if available and you have suficient space. Depending on your router /jffs may be very small). Most people mount their flash drives to /opt, which is also useful for running entware. If neither of these is an option, you'll have to setup another pc to share a network location for storage for you router and use cifs.
  21. ritslinux_2013

    ritslinux_2013 Reformed Router Member

    Thanks lancethepants, you gave some good and useful information.

    My main os is linux and most users here are on windows I noticed, looking at all the help. They differ maybe slightly in approach , but this make sometimes huge differences. For instance Wireshark (linux-version) does NOT have a remote-connection option, but some pipe-construction by ssl must be used.

    I will consider a network solution later when this all works as it should.

    My router is a Linksys 54GL and has no usb-port available, so I used the approach to put the rpcapd in /tmp/etc and make it executable (chmod 777) and start the deamon with " rpcapd -b -p 12345 -d "
    I can check it running by ssl to the router and check with top

    While still on windows I run wireshark and see all (remote)devices that the router gives me: vlan0 vlan1 eth0 eth1 ect..which one to choose now ?

    Anyway I played with some different devices and then wireshark crashes after some time of capturing...(something about small buffer)

    I was hoping to get some stable setting that would give me a pcap over some longer time, but no luck so far.

    I also will try to use the linux-approach but I canoot figure out yet howto get the ssl-pipe to work.

  22. Monk E. Boy

    Monk E. Boy Network Guru Member

    If you look in the Tomato interface (your router's website) under Bandwidth it should list all the interfaces with a breakdown of what vlan1, vlan0, etc. correspond to (WAN, WLAN, etc.). br0 is a bridge between ethernet (LAN) and wireless (WLAN).
  23. Almaz

    Almaz Networkin' Nut Member

    Just downloaded Bird333 rpcad file and uploaded in to my router but I'm getting an error message
    I'm exiting from the child loop
    The other host terminated the connection.
    Child terminated

    Even with an error message it looks like I'm able to get the data from Wireshark but I'd like to know if it's my setup having this error or everyone else having the same error. I tried the default port 2002 and other random ports and I'm still getting that message. Can anyone chime on that problem? I'm not using optware or entware. I'm using Shibby 112 build.
    Last edited: Aug 17, 2013
  24. janderia

    janderia Networkin' Nut Member

    Same issue here... I can't download rpcapd. :-(
  25. Almaz

    Almaz Networkin' Nut Member

    Read the whole thread and you'll find a link
  26. rs232

    rs232 Network Guru Member

  27. janderia

    janderia Networkin' Nut Member

  28. Goggy

    Goggy Network Guru Member

    Hi - you found the reason for this behavior?
  29. Brian Davidson

    Brian Davidson Reformed Router Member

    I'm having the same problem as Almaz. Does anyone know the explanation and/or solution to this?
  30. Almaz

    Almaz Networkin' Nut Member

    I didn't find a solution to the error but Bird333's rpcapd worked fine with wireshark. You can always install entware and try rpcapd from their repository. I didn't check but they might have a newer version as well.
  31. Brian Davidson

    Brian Davidson Reformed Router Member

    Almaz, thanks for the quick reply. It made me try again this evening and I found the problem was with the CKI - I had used the wrong password when trying to connect WireShark to the daemon. It works fine now.

    Many thanks to you, Bird333, rs232, and the other contributors to this thread.

    Installation notes in case they help someone:
    • My CIFS1 is mapped to a SAMBA share on a QNAP box (ARM Linux). Having downloaded Bird333's zip file on my Win8 PC, I dragged the rpcapd file to the root of that share. Still from the Windows PC I opened the properties on it and in the security tab, marked it full access for all users and groups listed there.
    • On the router, after changing the current directory to /cifs1, I ran the command rpcapd -b -d to start the daemon. Here's the strange thing: It seems to have started two identical tasks. I checked the active tasks using the ps command before issuing the command, so I know there was not already a copy running.
    • The next (minor) step is to add the command to the router startup, but timing is a consideration. In certain circumstances the cifs1 share may not be available then the router attempts to run the rpcapd command.
  32. Brian Davidson

    Brian Davidson Reformed Router Member

    My next step is to set up, on a second server, a process that constantly watches the rpcapd feed and does a running analysis and summary. The end goal is to have a web page that can give me a quick view of what devices in my network are doing at any given moment (perhaps for the last 15 or 30 seconds). The first graphics I create would be two pie-charts showing the data volume in, and out, per device. Once that's done, others will probably be easier - such as a running graph of usage by device.

    Perhaps there's already a tool out there that does this. Does anyone know? I haven't looked yet.
  33. rs232

    rs232 Network Guru Member

    koitsu likes this.
  34. koitsu

    koitsu Network Guru Member

    Is anyone working on getting rpcapd into Entware (for mipsel, as I don't think there's ARM in Entware yet)?

    If not I can try to spend some time doing this over the holiday, but I don't have a good package building environment set up for Entware at this point.
  35. rs232

    rs232 Network Guru Member

    I did ask Lancethepants about tomatoware and arm support, I seem to understand he's looking into it, so perhaps worthy getting his input directly.
  36. koitsu

    koitsu Network Guru Member

    The issue described in this thread I've been able to reproduce. The problem seems to do with pty/tty control in some way (our Busybox really needs to be built with proper stuff turned on, sigh). There are numerous problems that need to get figured out. I'll outline them here:

    1. Running rpcapd -b -n from the shell works fine. This runs it in foreground mode, and you're told to press Ctrl-C to end rpcapd. However, upon pressing Ctrl-C, your entire telnet session (to the router) is terminated. This seems to indicate rpcapd is doing some very stupid things with the local pty/tty, or that it literally kills the parent process shell. Figuring this out is tricky since the entire telnet session is lost in real-time.


    root@gw:/opt# ./rpcapd -b
    Press CTRL + C to stop the server...
    {pressed Ctrl-C here}
    Connection closed by foreign host.
    (13:34:10 jdc@icarus) ~ $
    Even when running in the foreground this daemon forks. Verification:

    root      7728   548  0 13:37 pts/0    00:00:00 -sh
    root      7772  7728  0 13:47 pts/0    00:00:00 /opt/rpcapd -b -n
    root      7773  7772  0 13:47 pts/0    00:00:00 /opt/rpcapd -b -n
    So my guess is that when pressing Ctrl-C, somehow this thing ends up killing the wrong parent pid (i.e. the shell session used to launch it).

    2. Logging back in and running rpcapd -b -n (note it's still foreground!) intermittently returns "bind(): Address already in use (code 125)" even when there is no rpcapd process running (checked with ps, looked for open file descriptors relating to port 2002 with lsof, etc.). This further indicates rpcapd is doing something very suspicious with underlying signals, pty/tty code, or parent/child forking model, causing very uncomfortable mayhem.

    Waiting an arbitrary amount of time (usually 5-10 seconds) tends to release this problem, whatever it may be. I have almost never seen a *IX binary act like this, so this is very very disturbing to me.

    I can confirm that with the -d flag (daemon/background), the parent forks a child. You'll even get a message of "Child terminated" when launching (weird if you ask me). The parent ends up being owned by PPID 1 (init), while the child has a PPID of the parent process. Example:

    root@gw:/tmp/home/root# /opt/rpcapd -d -b -n
    Child terminated
    root@gw:/tmp/home/root# ps -aef | grep rpcap
    root      7765     1  0 13:44 ?        00:00:00 /opt/rpcapd -d -b -n
    root      7766  7765  0 13:44 ?        00:00:00 /opt/rpcapd -d -b -n
    So to terminate rpcapd here cleanly, you need to kill the proper parent (in this case 7765 -- the one with a PPID of 1).

    3. The fact rpcapd doesn't provide native pidfile support is very disheartening. It means making this software truly "daemonised" and manageable through Entware scripts etc. is painful and very annoying + likely to not work reliably.

    4. Daemon mode does not properly reassign stdin/stdout/stderr. Take this situation for example:
    * Ran /opt/rpcapd -b -4 -n -d
    * Checked processes:

    root@gw:/tmp/home/root# ps -aef | grep rpcapd
    root      7811     1  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7812  7811  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    * Checked open fds on all these processes -- note fd 0/1/2 are still bound to the pty that ran the process in the first place:

    root@gw:/tmp/home/root# lsof -n -P -p 7811
    rpcapd  7811 root  cwd    DIR   0,10       80   233 /tmp/home/root
    rpcapd  7811 root  rtd    DIR   31,2      208    49 /
    rpcapd  7811 root  txt    REG    8,0   501961 98306 /opt/rpcapd
    rpcapd  7811 root    0u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7811 root    1u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7811 root    2u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7811 root    3u  IPv4  63327      0t0   TCP (LISTEN)
    root@gw:/tmp/home/root# lsof -n -P -p 7812
    rpcapd  7812 root  cwd    DIR   0,10       80   233 /tmp/home/root
    rpcapd  7812 root  rtd    DIR   31,2      208    49 /
    rpcapd  7812 root  txt    REG    8,0   501961 98306 /opt/rpcapd
    rpcapd  7812 root    0u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7812 root    1u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7812 root    2u   CHR  136,0      0t0     2 /dev/pts/0
    rpcapd  7812 root    3u  IPv4  63327      0t0   TCP (LISTEN)
    * Opened Wireshark, began a capture on vlan2 interface
    * Noticed that now rpcapd has forked off even more children:

    root@gw:/tmp/home/root# ps -aef | grep rpcapd
    root      7811     1  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7812  7811  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7824  7812  0 13:51 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7825  7824  0 13:51 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7826  7825  0 13:51 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    * Ended capture in Wireshark
    * In my terminal, in the middle of shell output, I see this:

    root@gw:/tmp/home/root# The other end system asked to close the connection.
    I'm exiting from the child loop
    Child terminated
    * And we're back down to 2 processes:

    root@gw:/tmp/home/root# ps -aef | grep rpcap
    root      7811     1  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    root      7812  7811  0 13:50 ?        00:00:00 /opt/rpcapd -b -n -4 -d
    * The workaround for the fd 0/1/2 nonsense is to use nohup along with redirecting stdout to /dev/null (because Busybox nohup is stupid). Now we see that fd 0/1/2 are all going to /dev/null:

    root@gw:/tmp/home/root# nohup /opt/rpcapd -b -n -4 -d > /dev/null
    root@gw:/tmp/home/root# lsof -n -P -p 7858
    rpcapd  7858 root  cwd    DIR   0,10       80   233 /tmp/home/root
    rpcapd  7858 root  rtd    DIR   31,2      208    49 /
    rpcapd  7858 root  txt    REG    8,0   501961 98306 /opt/rpcapd
    rpcapd  7858 root    0r   CHR    1,3      0t0   204 /dev/null
    rpcapd  7858 root    1w   CHR    1,3      0t0   204 /dev/null
    rpcapd  7858 root    2w   CHR    1,3      0t0   204 /dev/null
    rpcapd  7858 root    3u  IPv4  63540      0t0   TCP (LISTEN)
    Last edited: Nov 28, 2014
  37. koitsu

    koitsu Network Guru Member

    I wrote an Entware startup script for rpcapd today. There is still no Entware package for rpcapd, but I'll be trying to spend some time on that, well, when I have the spare cycles.

    rpcapd behaves very, very oddly for a daemon. I think there are some questionable design choices within it that make it behave oddly, and I have done my best to comment my script thoroughly so that some of those oddities are apparent.

    I call this S70rpcapd and it's to be placed in /opt/etc/init.d (or you can make a symlink from there into some other place, e.g. /opt/etc/init.d/S70rpcapd --> /some/other/place/S70rpcapd).

    It supports start, stop, and restart. I have not tested the reliability of restart.

    It does not comply with the general usage/syntax of rc.unslung scripts because it has to do its own startup routine.

    The arguments/flags used specifically bind it to the TomatoUSB LAN IP address NVRAM variable, and it does not work with IPv6 (I bind to IPv4 only). Change these if you wish.

    You may need to change the $rpcapd variable in the script to point to your rpcapd binary depending on where it is. Once there's an Entware package, though, that should be standardised.

    The license is the 2-clause BSD license (i.e. do whatever you want with this script but you need to keep the copyright notice and I'm not held responsible for any breakage).

    # Copyright (C) 2014-2015 Jeremy Chadwick. All rights reserved.
    # Redistribution and use in source and binary forms, with or without
    # modification, are permitted provided that the following conditions
    # are met:
    # 1. Redistributions of source code must retain the above copyright
    #    notice, this list of conditions and the following disclaimer.
    # 2. Redistributions in binary form must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer in the
    #    documentation and/or other materials provided with the distribution.
    # Entware script for rpcapd
    # Things of importance:
    # 1. rpcapd does not properly daemonise itself with the -d flag.  It
    # still leaves fd 0/1/2 (stdin/stdout/stderr) tied to whatever pty ran
    # the process.  Busybox "nohup" can be used to relieve some of this
    # pain, but not entirely.
    # 2. rpcapd does not have a way to maintain its own pidfile.  Therefore,
    # this shell script has to do it for it.  It's not as easy as using $$
    # either, because of how rpcapd forks itself.  The proper "master process"
    # actually ends up having a PPID of 1.  The easiest way to match the
    # correct process is to use pgrep, but that doesn't come with Busybox,
    # it's part of an Entware package.  So we get to do some silly nonsense
    # to figure out which rpcapd process is "the right one" when making our
    # pidfile.
    flags="-n -4 -b $(nvram get lan_ipaddr)"
    start() {
      if [ ! -x "${rpcapd}" ]; then
        echo "${rpcapd} missing; bailing..."
      # Properly background the process and set fd 0/1/2 to /dev/null
      nohup "${rpcapd}" -d ${flags} > /dev/null
      if [ $? -ne 0 ]; then
        echo "${rpcapd} did not start correctly (exit code $?).  Process may"
        echo "be running or in some weird state.  Manually investigate."
        exit $?
      # Sleep for 2 seconds.  You might think this is unnecessary -- it isn't.
      # rpcapd apparently starts, then forks a child, then that child becomes the
      # parent, and forks *another* child.  Proof:
      # On fresh start-up:
      # UID        PID  PPID  C STIME TTY          TIME CMD
      # root      8307     1  0 16:13 ?        00:00:00 /opt/rpcapd -d -n -4 -b
      # root      8308  8307  0 16:13 ?        00:00:00 /opt/rpcapd -d -n -4 -b
      # Then a few hundred milliseconds later (sometimes up to 1 second):
      # UID        PID  PPID  C STIME TTY          TIME CMD
      # root      8308     1  0 16:13 ?        00:00:00 /opt/rpcapd -d -n -4 -b
      # root      8319  8308  0 16:13 ?        00:00:00 /opt/rpcapd -d -n -4 -b
      # Pay close attention to the PPIDs there.  What happened to PID 8307?
      # This is why we need the sleep statement.
      sleep 2
      # Now figure out what the actual PID of the parent rpcapd process
      # is.  It should have a PPID of 1, unlike its children.  The methodology
      # used here is:
      # - Use pidof to get a list of all the rpcapd processes (parent and children)
      # - Iterate over each result, examining /proc/{pid}/stat and looking at the
      #   2nd (process name in parens), and 4th fields (PPID).  The master rpcapd
      #   process should have a PPID of 1.
      # We cannot use pidof against $rpcapd (full path) because Busybox pidof
      # is stupid in how it does its vague/ambiguous string matching.
      for p in $(pidof rpcapd)
        pid=$(${awk} '$2 == "(rpcapd)" && $4 == 1 { print $1 }' /proc/${p}/stat)
        if [ -n "${pid}" ]; then
      if [ -z "${masterpid}" ]; then
        echo "Unable to detect rpcapd master PID.  ${pidfile} was not written"
        echo "to, or may be stale.  You need to manually intervene."
        exit 1
      echo ${masterpid} > "${pidfile}"
      echo "Started rpcapd (pid ${masterpid})"
    stop() {
      if [ -f "${pidfile}" ]; then
        kill $(cat "${pidfile}")
        rm -f "${pidfile}"
        echo "Stopped rpcapd"
        echo "ERROR: ${pidfile} does not exist."
        exit 1
    case $ACTION in
        stop && start
        # no-ops
        echo "Usage: $0 (start|stop|restart)"
        exit 1
    Dr Strangelove likes this.
  38. rs232

    rs232 Network Guru Member


    Lance, I was trying to use rpcapd with the latest ARM builds and it appears to crash as soon as I connect remotely.
    Looking at github it appears the source was updated in 2017.

    Is there any chance you can compile the latest for arm and mips?

    Many thanks!
  39. Bird333

    Bird333 Network Guru Member

  40. Sean B.

    Sean B. Network Guru Member

    I have no issues with rpcapd crashing upon remote connection, or any other abnormal operation. The ARM binary I use can be downloaded from my google drive here if anyone wants to give it a try.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice